Spam-spyware combo will spawn targeted attack tools

By John K. Waters

06/05/2006

The IT security landscape is about to be hit with a potentially devastating seismic
shift, says Mark Sunner, CTO of Message Labs: the convergence of phishing-type
spam e-mails and spyware. It is a combination of powerful social engineering techniques
and stealthy information-gathering capabilities, he says, that will soon take
the bad guys to a whole new level.

"I have no doubt that a year or so from now, we'll look back on this timeframe
as a trigger point when threats started to shift in this direction," Sunner
says. "We'll look back on this period in the same way we look back at 2003
as the year botnets went from an embryonic stage to the source of virtually
all spam. We'll look back and say that this is when the threats truly became
targeted."

Sunner issued his warning at the annual INBOX e-mail conference,
held last week in San Jose, CA, during the "Savvy Spammer" panel discussion.

Peter Christy, principal analyst at the Internet Research Group and moderator
of the panel, told conference attendees that "botnets"--those collections
of compromised PCs running under a common command-and-control infrastructure
employed by cybercriminals to send out spam or for denial of service (DoS) attacks—are
now so prevalent that 90+ percent of the volume of spam messages originates
from bot-infected machines.

"Sixty percent of home users on broadband networks are probably infected
and in some degree controllable for the forces of evil," Christy said.

E-mail has become the most widely used method for hacking into corporate networks,
stealing identities, crippling IT systems, and committing online crimes, Sunner
says. Sunner's company scans 170 million corporate e-mails a day. That kind
of volume gives the company a big-picture view that has revealed this spam-spyware
convergence, he says. Sunner is on something of a mission to get the word out.

"In the early part of 2003, we were, in the same way, talking about the
conversion of viruses and spam," he says, "and that trend didn't get
picked up by the press until the end of the year. As a result, spam levels were
being driven up very dramatically. This time around, we're looking at something
that is going to be as significant an event, and I think we have a responsibility
to be a bit more vocal about it, to sort of push it. We need to be aware of
what's actually going on."

The spam-spyware combo will spawn sophisticated tools for increasingly targeted
mischief, Sunner says. "When spyware was started it was about catching
the browser as people were searching for keywords like 'car,' and delivering
a related popup add," he says. "But the bad guys realized that they
were getting back more data than they were looking for, and they began profiling
what people were searching for and selling that information to commercial entities."

"Phishing"—the e-mail scamming technique designed to acquire
sensitive info, such as passwords and credit card numbers, through messages
that appear to be from a trustworthy person or official source—has already
morphed into a more targeted species known as "spear phishing." The
spam-spyware convergence has the potential to provide enough information for
a detailed profile of individual users, enabling even more refined frauds. A
fraudster could, for example, send an official-looking e-mail to an eBay user
who just lost out on a bid, telling him that the winner backed out and that
he has now won—and to send his payment info.

Sunner predicts that this convergence will pick up steam very quickly. It took
roughly 16 years for viruses to evolve from early boot-vector malware to the
modern, commercially motivated malware we see today. Spyware has gone through
the same development cycle in a mere 4 years, he says.

Sunner also believes that this changing the threat landscape will affect the
planning and resource allocation of ISVs. Unfortunately, these kinds of security
trends tend to be missed by software developers, says security expert Gary McGraw,
CTO of Cigital and author of Software Security: Building Security In, even when
they become mainstream

"I’ve talked to tens of thousands of developers over the past few
years," McGraw says, "and I know that they're not irresponsible, and
they actually want to learn about this stuff. They’re just nice, very
optimistic guys who are surprised that anyone would do those mean things to
their code."

Keeping up with the practices of digital malefactors is one of the keys to
beating them, says McGraw. "The only way to do software security is to
have two hats," he says. "You’ve got to do some of the bad-guy
stuff and some of the good-guy stuff. You’ve got to build it right, and
you’ve got to attack it as though you were a bad guy. Good and bad, black
and white; they're inextricably bound together."

About the Author

John K. Waters is a freelance writer based in Silicon Valley. He can be reached
at john@watersworks.com.